Handle malformed encrypted requests without panics
Signed-off-by: Sean Du <do4suki@gmail.com>
This commit is contained in:
@@ -33,7 +33,10 @@ func handshake(ctx *gin.Context) {
|
||||
return
|
||||
}
|
||||
|
||||
decryptedData := encrypt.RSADecrypt(data)
|
||||
decryptedData, err := encrypt.RSADecrypt(data)
|
||||
if ss.CheckErr(err) {
|
||||
return
|
||||
}
|
||||
|
||||
params, err := url.ParseQuery(string(decryptedData))
|
||||
if ss.CheckErr(err) {
|
||||
|
||||
@@ -25,7 +25,10 @@ func authKey(ctx *gin.Context) {
|
||||
if ss.CheckErr(err) {
|
||||
return
|
||||
}
|
||||
dummyTokenDecrypted := encrypt.RSADecrypt(dummyToken)
|
||||
dummyTokenDecrypted, err := encrypt.RSADecrypt(dummyToken)
|
||||
if ss.CheckErr(err) {
|
||||
return
|
||||
}
|
||||
|
||||
// aesKey := dummyTokenDecrypted[0:16]
|
||||
// authData, err := base64.StdEncoding.DecodeString(reqData.Get("auth_data").String())
|
||||
|
||||
@@ -41,6 +41,10 @@ func login(ctx *gin.Context) {
|
||||
}
|
||||
|
||||
xmcKey := utils.XOR(clientToken, serverToken)
|
||||
if len(xmcKey) < 16 {
|
||||
ss.Abort(errors.New("invalid login token data"))
|
||||
return
|
||||
}
|
||||
aesKey := xmcKey[0:16]
|
||||
|
||||
reqData := gjson.Parse(ctx.MustGet("request_data").(string))
|
||||
@@ -48,7 +52,15 @@ func login(ctx *gin.Context) {
|
||||
if ss.CheckErr(err) {
|
||||
return
|
||||
}
|
||||
loginKey := encrypt.AESCBCDecrypt(key, aesKey)[16:]
|
||||
decryptedLoginKey, err := encrypt.AESCBCDecrypt(key, aesKey)
|
||||
if ss.CheckErr(err) {
|
||||
return
|
||||
}
|
||||
if len(decryptedLoginKey) < 16 {
|
||||
ss.Abort(errors.New("invalid login key"))
|
||||
return
|
||||
}
|
||||
loginKey := decryptedLoginKey[16:]
|
||||
// fmt.Println("loginKey", string(loginKey))
|
||||
|
||||
// password, err := base64.StdEncoding.DecodeString(reqData.Get("login_passwd").String())
|
||||
|
||||
@@ -186,13 +186,21 @@ func (ss *Session) CheckErr(err error) bool {
|
||||
}
|
||||
|
||||
func (ss *Session) Respond(resp any) {
|
||||
if ss.done {
|
||||
return
|
||||
}
|
||||
|
||||
data, err := json.Marshal(resp)
|
||||
if ss.CheckErr(err) {
|
||||
return
|
||||
}
|
||||
|
||||
ss.resp.setHeader("Content-Type", "application/json")
|
||||
ss.resp.setHeader("X-Message-Sign", base64.StdEncoding.EncodeToString(encrypt.RSASignSHA1(data)))
|
||||
signature, err := encrypt.RSASignSHA1(data)
|
||||
if ss.CheckErr(err) {
|
||||
return
|
||||
}
|
||||
ss.resp.setHeader("X-Message-Sign", base64.StdEncoding.EncodeToString(signature))
|
||||
ss.resp.writeBody(http.StatusOK, string(data))
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user